Skip to content

Iam policies eks

Service Role ARN

A service role utilizing AWS managed and custom defined policies is required to access Amazon’s EKS. This role will be attached to the EKS Control plane during provisioning of the EKS cluster. A Role ARN will be provided as input during cluster creation in Rafay Console.

The following policies should be attached to the Service Role.

  • AWS Managed Policies

    • AmazonEKSClusterPolicy
    • AmazonEKSVPCResourceController
  • Customer Defined Policies ( Required if only using the functionalities related to the associated policies )

    • Cluster-PolicyCloudWatchMetrics

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": [
                      "cloudwatch:PutMetricData"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      }
      

    • Cluster-PolicyELBPermissions

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": [
                      "ec2:DescribeAccountAttributes",
                      "ec2:DescribeAddresses",
                      "ec2:DescribeInternetGateways"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      }
      

Node Instance Role ARN

A node instance role utilizing AWS managed and custom defined policies is required to access Amazon’s EKS, ECS, and additional services. This role will be attached to the EKS worker nodes during provisioning. The Role ARN will be provided as input during cluster creation.

The following policies and permissions should be associated to the Node Instance Role.

  • AWS Managed Policies

    • AmazonEKSWorkerNodePolicy
    • AmazonEC2ContainerRegistryPowerUser
    • AmazonEKS_CNI_Policy
  • Customer Defined Policies ( Required if only using the functionalities related to the associated policies )

    • nodegroup-PolicyAppMesh

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": [
                      "servicediscovery:CreateService",
                      "servicediscovery:DeleteService",
                      "servicediscovery:GetService",
                      "servicediscovery:GetInstance",
                      "servicediscovery:RegisterInstance",
                      "servicediscovery:DeregisterInstance",
                      "servicediscovery:ListInstances",
                      "servicediscovery:ListNamespaces",
                      "servicediscovery:ListServices",
                      "servicediscovery:GetInstancesHealthStatus",
                      "servicediscovery:UpdateInstanceCustomHealthStatus",
                      "servicediscovery:GetOperation",
                      "route53:GetHealthCheck",
                      "route53:CreateHealthCheck",
                      "route53:UpdateHealthCheck",
                      "route53:ChangeResourceRecordSets",
                      "route53:DeleteHealthCheck",
                      "appmesh:*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      }
      

    • nodegroup-PolicyAutoScaling

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": [
                      "autoscaling:DescribeAutoScalingGroups",
                      "autoscaling:DescribeAutoScalingInstances",
                      "autoscaling:DescribeLaunchConfigurations",
                      "autoscaling:DescribeTags",
                      "autoscaling:SetDesiredCapacity",
                      "autoscaling:TerminateInstanceInAutoScalingGroup",
                      "ec2:DescribeLaunchTemplateVersions"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      }
      

    • nodegroup-PolicyAWSLoadBalancerController

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Condition": {
                      "StringEquals": {
                          "ec2:CreateAction": "CreateSecurityGroup"
                      },
                      "Null": {
                          "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
                      }
                  },
                  "Action": [
                      "ec2:CreateTags"
                  ],
                  "Resource": "arn:aws:ec2:*:*:security-group/*",
                  "Effect": "Allow"
              },
              {
                  "Condition": {
                      "Null": {
                          "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
                          "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
                      }
                  },
                  "Action": [
                      "ec2:CreateTags",
                      "ec2:DeleteTags"
                  ],
                  "Resource": "arn:aws:ec2:*:*:security-group/*",
                  "Effect": "Allow"
              },
              {
                  "Condition": {
                      "Null": {
                          "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
                      }
                  },
                  "Action": [
                      "elasticloadbalancing:CreateLoadBalancer",
                      "elasticloadbalancing:CreateTargetGroup"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Condition": {
                      "Null": {
                          "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
                          "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
                      }
                  },
                  "Action": [
                      "elasticloadbalancing:AddTags",
                      "elasticloadbalancing:RemoveTags"
                  ],
                  "Resource": [
                      "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
                      "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
                      "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
                  ],
                  "Effect": "Allow"
              },
              {
                  "Condition": {
                      "Null": {
                          "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
                      }
                  },
                  "Action": [
                      "ec2:AuthorizeSecurityGroupIngress",
                      "ec2:RevokeSecurityGroupIngress",
                      "ec2:DeleteSecurityGroup",
                      "elasticloadbalancing:ModifyLoadBalancerAttributes",
                      "elasticloadbalancing:SetIpAddressType",
                      "elasticloadbalancing:SetSecurityGroups",
                      "elasticloadbalancing:SetSubnets",
                      "elasticloadbalancing:DeleteLoadBalancer",
                      "elasticloadbalancing:ModifyTargetGroup",
                      "elasticloadbalancing:ModifyTargetGroupAttributes",
                      "elasticloadbalancing:DeleteTargetGroup"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "elasticloadbalancing:RegisterTargets",
                      "elasticloadbalancing:DeregisterTargets"
                  ],
                  "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "iam:CreateServiceLinkedRole",
                      "ec2:DescribeAccountAttributes",
                      "ec2:DescribeAddresses",
                      "ec2:DescribeInternetGateways",
                      "ec2:DescribeVpcs",
                      "ec2:DescribeSubnets",
                      "ec2:DescribeSecurityGroups",
                      "ec2:DescribeInstances",
                      "ec2:DescribeNetworkInterfaces",
                      "ec2:DescribeTags",
                      "elasticloadbalancing:DescribeLoadBalancers",
                      "elasticloadbalancing:DescribeLoadBalancerAttributes",
                      "elasticloadbalancing:DescribeListeners",
                      "elasticloadbalancing:DescribeListenerCertificates",
                      "elasticloadbalancing:DescribeSSLPolicies",
                      "elasticloadbalancing:DescribeRules",
                      "elasticloadbalancing:DescribeTargetGroups",
                      "elasticloadbalancing:DescribeTargetGroupAttributes",
                      "elasticloadbalancing:DescribeTargetHealth",
                      "elasticloadbalancing:DescribeTags",
                      "cognito-idp:DescribeUserPoolClient",
                      "acm:ListCertificates",
                      "acm:DescribeCertificate",
                      "iam:ListServerCertificates",
                      "iam:GetServerCertificate",
                      "waf-regional:GetWebACL",
                      "waf-regional:GetWebACLForResource",
                      "waf-regional:AssociateWebACL",
                      "waf-regional:DisassociateWebACL",
                      "wafv2:GetWebACL",
                      "wafv2:GetWebACLForResource",
                      "wafv2:AssociateWebACL",
                      "wafv2:DisassociateWebACL",
                      "shield:GetSubscriptionState",
                      "shield:DescribeProtection",
                      "shield:CreateProtection",
                      "shield:DeleteProtection",
                      "ec2:AuthorizeSecurityGroupIngress",
                      "ec2:RevokeSecurityGroupIngress",
                      "ec2:CreateSecurityGroup",
                      "elasticloadbalancing:CreateListener",
                      "elasticloadbalancing:DeleteListener",
                      "elasticloadbalancing:CreateRule",
                      "elasticloadbalancing:DeleteRule",
                      "elasticloadbalancing:SetWebAcl",
                      "elasticloadbalancing:ModifyListener",
                      "elasticloadbalancing:AddListenerCertificates",
                      "elasticloadbalancing:RemoveListenerCertificates",
                      "elasticloadbalancing:ModifyRule"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      }
      

    • nodegroup-PolicyEFS

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": [
                      "elasticfilesystem:*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      }
      

    • nodegroup-PolicyEFSEC2

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": [
                      "ec2:DescribeSubnets",
                      "ec2:CreateNetworkInterface",
                      "ec2:DescribeNetworkInterfaces",
                      "ec2:DeleteNetworkInterface",
                      "ec2:ModifyNetworkInterfaceAttribute",
                      "ec2:DescribeNetworkInterfaceAttribute"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      }
      

    • nodegroup-PolicyExternalDNSChangeSet

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": [
                      "route53:ChangeResourceRecordSets"
                  ],
                  "Resource": "arn:aws:route53:::hostedzone/*",
                  "Effect": "Allow"
              }
          ]
      }
      

    • nodegroup-PolicyExternalDNSHostedZones

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": [
                      "route53:ListHostedZones",
                      "route53:ListResourceRecordSets",
                      "route53:ListTagsForResource"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      }
      

Instance Profile ARN

Instance profiles are a way to pass an IAM role to an EC2 instance. As part of the cluster creation process Rafay can pass the IAM Node Instance role created above to the EKS worker nodes which are built on top of EC2 instances. Instance profiles can be created using the CLI or API and involve creating the instance profile, adding any additional tags, and then adding the Node Instance role to the instance profile. Role ARN will be provided as input during the cluster creation in Rafay Console.

Using Instance Profiles

Note

For customers who will manage their own IAM Roles and Policies and have not created an EKS cluster then you will need to create (2) additional AWS Service-linked Roles. These roles are created dynamically when an EKS cluster is launched. If a cluster has not been launched in the working account and the controller does not have the necessary IAM permissions then follow the instructions below to create the autoscaling and EKS service-linked roles.

Autoscaling service-linked role creation

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Roles, Create role.
  3. For Select type of trusted entity, choose AWS service.
  4. For Choose the service that will use this role, choose EC2 Auto Scaling and the EC2 Auto Scaling use case.
  5. Choose Next: Permissions, Next: Tags, and then Next: Review. Note: You cannot attach tags to service-linked roles during creation.
  6. On the Review page, leave Role name blank to create a service-linked role with the name AWSServiceRoleForAutoScaling,
  7. (Optional) For Role description, edit the description for the service-linked role.
  8. Choose Create role.

EKS service-linked role creation

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Roles, Create role.
  3. For Select type of trusted entity, choose EKS service.
  4. For Choose the service that will use this role, choose EKS use case.
  5. Choose Next: Permissions, Next: Tags, and then Next: Review. Note: You cannot attach tags to service-linked roles during creation.
  6. On the Review page, leave Role name blank to create a service-linked role with the name AWSServiceRoleForAmazonEKS,
  7. (Optional) For Role description, edit the description for the service-linked role.
  8. Choose Create role.